Cisco Study Reveals Very Few Organizations In Canada Prepared To Defend Against Today’s Rapidly Evolving Threat Landscape

Posted in Commentary with tags on March 27, 2024 by itnerd

 Only one per cent of organizations in Canada have the ‘Mature’ level of readiness needed to be resilient against modern cybersecurity risks, according to Cisco’s 2024 Cybersecurity Readiness Index.

The 2024 Cisco Cybersecurity Readiness Index was developed in an era defined by hyperconnectivity and a rapidly evolving threat landscape. Companies today continue to be targeted with a variety of techniques that range from phishing and ransomware to supply chain and social engineering attacks. And while they are building defenses against these attacks, they still struggle to defend against them, slowed down by their own overly complex security postures that are dominated by multiple point solutions.

These challenges are compounded in today’s distributed working environments where data can be spread across limitless services, devices, applications, and users. However, 78 per cent of Canadian companies still feel moderately to very confident in their ability to defend against a cyberattack with their current infrastructure. This disparity between confidence and readiness suggests that companies may have misplaced confidence in their ability to navigate the threat landscape and may not be properly assessing the true scale of the challenges they face.

2024 Cisco Cybersecurity Readiness Index: Underprepared and Overconfident Companies Tackle an Evolving Threat Landscape

The Index assesses the readiness of companies on five key pillars: Identity Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and AI Fortification, which are comprised of 31 corresponding solutions and capabilities. It is based on a double-blind survey of more than 8,000 private sector security and business leaders across 30 global markets conducted by an independent third party. The respondents were asked to indicate which of these solutions and capabilities they had deployed and the stage of deployment. Companies were then classified into four stages of increasing readiness: Beginner, Formative, Progressive and Mature.

Findings

Overall, the study found that only one per cent of companies in Canada are ready to tackle today’s threats, with 78 per cent of organizations falling into the Beginner or Formative stages of readiness. Globally, 3 per cent of companies are at a Mature stage. Further:

  • Future Cyber Incidents Expected: 63 per cent of respondents said they expect a cybersecurity incident to disrupt their business in the next 12 to 24 months. The cost of being unprepared can be substantial, as 43 per cent of respondents said they experienced a cybersecurity incident in the last 12 months, and 46 per cent of those affected said it cost them at least US$300,000.
  • Point Solution Overload: The traditional approach of adopting multiple cybersecurity point solutions has not delivered effective results, as 72 per cent of respondents admitted that having multiple point solutions slowed down their team’s ability to detect, respond and recover from incidents. This raises significant concerns as 62 per cent of organizations said they have deployed ten or more point solutions in their security stacks, while 17 per cent said they have 30 or more.​
  • Unsecure and Unmanaged Devices Add Complexity: 78 per cent of companies said their employees access company platforms from unmanaged devices​, and 33 per cent of those spend one-fifth (20 per cent) of their time logged onto company networks from unmanaged devices. ​Additionally, 20 per cent reported that their employees hop between at least six networks over a week.
  • The Cyber Talent Gap Persists: Progress is being further hampered by critical talent shortages, with 83 per cent of companies highlighting it as an issue. In fact, 35 per cent of companies said they had more than ten roles related to cybersecurity unfilled in their organization at the time of the survey.
  • Future Cyber Investments Ramping Up: Companies are aware of the challenge and are ramping up their defenses with 40 per cent planning to significantly upgrade their IT infrastructure in the next 12 to 24 months. This is a marked increase from just 25 per cent who planned to do so last year. Most prominently, organizations plan to upgrade existing solutions (67 per cent), deploy new solutions (53 per cent), and invest in AI-driven technologies (50 per cent). Further, 96 per cent of companies expect to increase their cybersecurity budget in the next 12 months, and 78 per cent of respondents say their budgets will increase by 10 per cent or more.

To overcome the challenges of today’s threat landscape, companies must accelerate meaningful investments in security, including adoption of innovative security measures and a security platform approach, strengthen their network resilience, establish meaningful use of generative AI, and ramp up recruitment to bridge the cybersecurity skills gap.

Additional Resources:

Leave a comment »

Obsidian Discovers Expansive Identity Security Risk Impacting HR Systems Used Widely By The Global 2000

Posted in Commentary with tags on March 27, 2024 by itnerd

The threat research team of SaaS security company Obsidian has found a potentially expansive identity security risk that involves the fintech startup Argyle, an integration service for verifying income and employment data. 

In February, Obsidian detected a risk for organizations who are linked to Argyle through integrations with HR Management (HRM) systems widely used by the Global 2000. Argyle’s service poses serious security implications to these organizations because it prompts their employees to input corporate identity credentials  through “permissioned payroll connections” into the Argyle platform – providing a pathway for unauthorized access and data compromise. 

Argyle collects data that is used by the mortgage, background check, personal lending and banking industries as well as the gig economy.

Based on what Obsidian is seeing in its customer environments, it has reason to believe that many companies are at risk of credential harvesting, session cookie leakage, unauthorized access to other systems, and even falling afoul of U.S. hacking laws. The patterns that Obsidian is seeing resemble common identity theft threats, such as those for initial access from an access broker such as Okta, or fully executed payroll theft after an account takeover. 

You can read the details here.

Leave a comment »

It’s Been Over A Year Since Rogers/Yahoo Broke Email For Some Rogers Customers

Posted in Commentary with tags on March 26, 2024 by itnerd

I apologize in advance if this comes across as a bit of a rant. But honestly, I am not only in disbelief that this is still an ongoing issue a year later, but I share the frustrations of my clients who are caught up in this. More on them in a bit. But the main point of this post that it was pointed out to me by a reader that it’s been over a year since the following chain of events started:

  • I first reported on issues with Rogers email, and the inability to generate app specific passwords to allow users of Rogers email to use email clients like Outlook and Thunderbird on March 7th of 2023.  
  • While this issue dragged on, there was a workaround involving using webmail. But that workaround is sub optimal to say the least. And as this issue dragged on into April of 2023, I was left with no other option than to recommend to my many clients who are affected by this to dump Rogers as their email provider.
  • By mid April 2023, Rogers has sort of admitted that there is an issue.
  • Fast forward to August 2023. It then seemed that Rogers or more accurately Yahoo who is the company behind Rogers email was rolling out OAuth to replace the need to generate app specific passwords. But the catch was that not all email clients support OAuth. To date, only the Outlook 365 email client supports this (if you have that client, this will help you to set up your Rogers email account). Which means that Rogers users using many other email clients, or those who weren’t willing to pay Microsoft every month for Office 365 were still stuck.
  • In October 2023, Rogers started to shift the blame for their email issues to Microsoft. But in January of this year, Rogers then started to blame Yahoo.

Needless to say that this is a train wreck next to a dumpster fire. And over a year later I still have a list of nine clients who can’t use the email client of their choice with Rogers email. Nine clients who have the following in common. They are all seniors who don’t feel that they are capable of being comfortable with a switch to another ISP (Bell or Teksavvy for example) or being comfortable with a switch to a Gmail or an Outlook.com. Nor are they comfortable with making the switch to Office365 as an email client because that’s going to cost them money on a monthly basis, which matters to them as they are on a fixed incomes and every dollar matters. Webmail while tolerable to get their email is not a long term solution for them as they developed processes like creating folders to file email locally before this happened. And not having that leaves them all a bit lost and confused. Thus they’re all frustrated that Rogers seemingly can’t or won’t fix this for them.

Honestly, at this point Rogers needs to do better. A company the size of Rogers simply can’t have something like this go on this long and not do its level best to make people whole again. And it doesn’t matter if it is one person, nine in my case, or a thousand. One person who can’t get their email in the manner that they want is one too many. That makes me wonder if Rogers along with Yahoo will ever fix this, or have they simply checked out and don’t care. I really hope it’s not the latter as that would reflect poorly on Rogers and Yahoo.

I’ll continue to watch this for developments and I will still be trying stuff on my end in order to make my clients whole. But frankly, given the inaction of Rogers and Yahoo, I am not holding my breath that either will come to the rescue of these people.

2 Comments »

Trend Micro Outlines The Top Four IRS Tax Scams In 2024

Posted in Commentary with tags on March 26, 2024 by itnerd

In 2023, fraud cost U.S. consumers more than $8 billion. With tax season underway, so are tax phishing scams. Recently, global cybersecurity firm, Trend Micro, published a blog on the Top Four IRS Tax Scams in 2024. These include:  

  1. IRS Tax Refund Scams 
  2. IRS “Offer in Compromise” Scam 
  3. Fake Tax Assistance Program 
  4. Fake 2023 Unpaid Taxes Notification 

With AI enabling more and more sophisticated tax and financial scams, consumers need to be leery of divulging personal information to avoid financial loss and potential identity theft. Once your personal information is in the hands of bad actors, your risk of identity theft is increased. A whopping 47% of Americans have experienced financial identity theft. 

This blog is very worth reading so that you can protect yourself.

Leave a comment »

Inversion6 Welcomes Tom Siu as New Chief Information Security Officer

Posted in Commentary with tags on March 26, 2024 by itnerd

 Inversion6, a cybersecurity company, announces today that longtime Chief Information Security Officer (CISO), Tom Siu, has joined their CISO practice. As a part of the team, he will collaborate directly with the firm’s clients to develop and manage their cybersecurity programs.

Siu will use his expertise to advise clients on operational security processes and assist clients with developing cybersecurity leadership capabilities.

The expansion of the CISO practice enables Inversion6 to continue accelerating their evolution of tailored security solutions for clients, large and small, across numerous verticals.

Siu strives to enable organizational success through relationship building with world-class IT and business leaders, strategic planning and intent-based leadership with IT teams. He is a recognized industry expert in information security with an emphasis focused on building and mentoring other leaders.

Siu’s recent CISO roles include acclaimed universities, Michigan State and Case Western Reserve, as well as a Virtual CISO with a veteran-owned managed security services provider. During these experiences he developed an information security program, directed an information security office staff and supported global customers with their cybersecurity strategy and product development.

Founded more than 30 years ago in Cleveland, Inversion6 has been helping build custom cybersecurity solutions for their clients and helping them stay ahead of the ever-changing threat landscape.

Leave a comment »

So There’s An “Unfixable” Bug In Apple Silicon… What Does That Mean For You?

Posted in Commentary with tags on March 26, 2024 by itnerd

Last week ARS Technica published a report of an “unfixable” bug in Apple M series processors. While I do encourage you to read the report, I’ll give you the TL:DR here:

The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

Here’s the translation:  The threat allows someone to extract security keys from these chips, breaking encryption as a result. And it can’t be fixed because doing so will make these insanely fast processors slower. In short, this is really bad. But to be fair, and before those who don’t like Macs and instead support PCs and Windows all the things chime in, Intel and AMD have had their share of similar issues. This one and this one come to mind. While there are mitigations that Apple could take such as trying to shuffle encryption tasks away from the performance cores of M series processors to the efficiency cores of said processors, like I said earlier, this flaw is basically not patchable. It also means that much like when Intel and AMD had issues like these, researchers and threat actors will start poking around M series processors to see if they can find any other flaws.

So, what can you as a Mac user do to protect yourself? Well, other than keeping your software up to date, not much really. Everything that I have read on this doesn’t point to any proof of concept code or any easy to execute attack. So this isn’t a today problem for Mac users at the moment. But that doesn’t mean it won’t become a problem later. Thus you might want to just keep an eye on this to see if new information pops up about this.

Leave a comment »

Legit Security Launches AI-Powered, Enterprise-Grade Secrets Scanning Product 

Posted in Commentary with tags on March 26, 2024 by itnerd

Legit Security, the leading platform for enabling companies to manage their application security posture across the complete developer environment, today announced the launch of its standalone enterprise secrets scanning product, which can detect, remediate, and prevent secrets exposure across the software development pipeline. An AI-powered solution that enables secrets discovery beyond source code, Legit’s offering is built to meet the needs of even the most complex development organizations.

This new offering provides CISOs and their teams with enterprise-grade security capable of addressing the needs of the world’s largest and most complex organizations. Security teams can now identify, remediate, and prevent the exposure of secrets across developer tools, such as GitHub, GitLab, Azure DevOps, Jenkins, Bitbucket, Docker images, Confluence, Jira, and more. Legit’s AI-powered accuracy also drives highly accurate results; false positives are reduced by as much as 86%.

Secrets, such as API keys, access keys, passwords, and personally identifiable information (PII), are valuable assets and a focal point for attackers. At the same time, applications and developers are using more and more secrets and non-human credentials to function. According to IBM’s 2023 Data Breach Report, secret leak risks are the second most common initial attack vector. Protecting secrets is mission-critical, as just one disclosure can lead to multiple breaches that are costly and often difficult to remediate. With Legit, organizations can identify, remediate, and prevent the loss of secrets across various developer tools and platforms.

Key benefits of Legit’s enterprise secrets scanning product include:

  • Performance and scale: Organizations receive enterprise-grade secrets scanning capabilities suitable for large-scale organizations to scan thousands of developer assets within minutes.
  • Going beyond source code: CISOs and their teams can identify, remediate, and prevent the loss of secrets across developer tools, ranging from GitHub, GitLab, Azure DevOps, and Bitbucket to Docker images, artifacts, Confluence pages, and more. 
  • AI-powered accuracy: Legit delivers more accurate results through its continual learning engine. In addition, extensive context and prioritization capabilities limit the impact of false positives.
  • Centralized management: Organizations can seamlessly create custom policies, manage exceptions, and execute secrets scanning across all products, systems, and teams.
  • Continuous developer attack surface visibility: Legit discovers and analyzes dev assets such as code, build systems, artifacts, and more. This approach ensures no corner is left unchecked and adds context, such as exposure vectors, to the findings.

With enterprise secrets scanning from Legit, customers can start with secrets scanning and, based on future needs, expand to other use cases, such as vulnerability management, compliance, and software supply chain security. 

Highlighting the effectiveness of Legit’s enterprise secrets scanning, a leading financial services organization recently found the security of its software supply chain significantly improved after deploying Legit’s solution. The comprehensive scanning and integration capabilities provided insights into potential risks, leading to more informed decision-making and strengthened security practices.

Legit Security’s new product is available now to new and existing customers. For more information, visit www.legitsecurity.com. To learn more about how Legit tackles secrets detection across, join a webcast – “Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture” – on Thursday, March 28, 2024 at 2:30 pm ET. Register for the event here.

Leave a comment »

New Report By CDW Canada Finds Three-in-Five Canadian Organizations Are Open to Using AI

Posted in Commentary with tags on March 26, 2024 by itnerd

CDW Canada today released new research about the attitudes, concerns and adoption patterns of artificial intelligence (AI) technology in Canada. The Evolution of AI Adoption in Canadian Businesses: Perceptions and Trends contains research conducted among members of the Angus Reid Forum, including over 300 IT decision-makers across businesses of varying sizes and industries throughout Canada.

Organizations recognize the benefits of AI adoption

As Canadian organizations navigate the rapidly advancing AI landscape, a sense of cautious optimism persists. Three-in-five organizations (61 percent) are open to using AI and over half (58 percent) believe that incorporating AI enhances productivity and efficiency. Despite this openness, only half (51 percent) feel comfortable about its current use.

The most common benefits Canadian organizations expect following investment in AI include increased productivity and efficiency (58 percent), increased data/information availability (48 percent) and financial benefits or cost reductions (42 percent).

Understanding Al creates challenges for integration

Lack of knowledge and education are the primary obstacles Canadian organizations face when embracing AI and data analytics tools, despite the recognized benefits.

While half (52 percent) of IT decision-makers whose organizations have implemented AI for specific tools consider the process easy, only one-in-five (21 percent) IT decision-makers feel confident in their organization’s ability to implement them effectively. This highlights a significant gap in education and governance between those responsible for overseeing AI integration, the organizations they work for and assumptions about the complexity of AI tools.

Organizations are just scratching the surface of AI tools

Most organizations are only scratching the surface in exploring the capabilities of data analytics and AI tools.

The most widely used AI tools are natural language processing (NLP) tools. While useful, NLPs are not representative of AI’s full scope and capabilities. One-in-five organizations use machine learning and deep learning platforms (20 percent) and automation and optimization tools (19 percent) compared to half (50 percent) that use NLP and interaction tools. For Canadian organizations to remain competitive there needs to be greater education on AI’s full potential.

Public and private sectors have differing paths to AI adoption

The landscape of AI adoption varies between the public and private sectors, with each facing distinct challenges and opportunities. Both are open to AI adoption, but a higher portion of public sector respondents (64 percent) express openness for AI adoption compared to the private sector (58 percent).

The public sector places stronger emphasis on security, privacy and data protection, with over half (57 percent) citing these as high-risk factors, along with personal data breaches (54 percent). By comparison, the private sector is more concerned with issues such as biased inputs/user programming (42 percent), ethical implications (41 percent) and unclear legal regulations (40 percent). This discrepancy underscores the public sector’s heightened sensitivity to the potential consequences of breaches and its commitment to safeguarding Canadians’ data and privacy.

Learn more about the state of AI adoption among Canadian organizations and download the report here.

About the Survey

These are the findings of an online survey conducted by CDW from February 1 to February 8, 2024, among a sample of 309 IT decision-makers who are members of the Angus Reid Forum. The survey was conducted in English. For comparison purposes only, a probability sample of this size would carry a margin of error of +/-6 percentage points, 19 times out of 20.

Leave a comment »

CISA, The FBI, And MS-ISAC Release DDoS attack Guidance For The Public Sector 

Posted in Commentary with tags on March 26, 2024 by itnerd

In a joint advisory, CISA, the FBI, and MS-ISAC has published new guidance, Understanding and Responding to Distributed Denial-Of-Service Attacks, for federal, state and local government agencies to help prevent disruption to critical services.

The advisory noted that DDoS attacks are difficult to trace and block and are commonly used by politically motivated attackers, with government websites often targeted by one of three types of DDoS attacks: Volume-based, Protocol-based attacks, and Application layer-based attacks. 

  • The guidelines emphasized that there are steps that can be taken to mitigate the possibility of being hit. These include:
  • Use risk assessments to identify potential vulnerabilities
  • Implement robust network monitoring tools and detection systems 
  • Integrate a Captcha challenges
  • Configure your firewalls to filter out suspicious traffic 
  • Regularly patch and update all software, operating systems and network devices
  • Train employees about DDoS attacks, and how to recognize and report suspicious activities

The advisory also emphasized the importance of putting in place measures to maintain service availability during a DDoS attack such as increasing bandwidth capacity and implementing load balancing solutions to distribute traffic to handle sudden spikes in traffic during an attack. Also, establish redundancy and failover mechanisms to redirect traffic and regularly back up critical data to allow for fast recovery and minimize data loss.

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Although volumetric DDoS attacks have been pretty much defeated by those who offer cloud-based DDoS defenses, protocol-based attacks and application layer-based attacks are still a resounding problem. These attacks are often low-and-slow attacks are extremely difficult to defeat in the cloud since defenses regularly end up blocking legitimate traffic.

   “For those who are concerned about DDoS attacks, the best approach is a hybrid one. Subscribe to cloud-based DDoS defensive services to defeat volumetric attacks and deploy specialty-built DDoS defenses on-premises in front of your border firewalls to defeat the low-and-slow attacks. This way, all types of DDoS attacks can be defeated.”

A DDoS attack can be highly disruptive if an organization isn’t prepared to defend against one. So it is in any organization’s interest to add this to the list that they need to have a playbook for. Fortunately this joint advisory will help with that.

Leave a comment »

HYAS Threat Intel Report Is Now Out

Posted in Commentary with tags on March 25, 2024 by itnerd

HYAS Infosec has just issued the Threat Intel Report March 25 2024in which HYAS Threat Intelligence Security Engineer David Brunsdon details:

  • Top ASNs Under Observation
  • The most active malware families during the week that’s just ended.

The Report includes specific details on each ASN,  including organizational description and location, recent activity, organization type (hosting, ISP, telco) and recommendation for protecting organizations. 

For the Top Malware Families Under Observation, the report provides descriptions of each threat, recent activities, specific risks and potential impacts, and recommendations for mitigation and tightening security posture against the threat.

Leave a comment »

« Older Entries
Newer Entries »